Merge from vendor branch OPENSSL:
[dragonfly.git] / secure / usr.bin / openssl / man / s_client.1
CommitLineData
2eaa1526 1.\" Automatically generated by Pod::Man 2.12 (Pod::Simple 3.05)
8b0cefbb
JR
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sh \" Subsection heading
984263bc
MD
6.br
7.if t .Sp
8.ne 5
9.PP
10\fB\\$1\fR
11.PP
12..
8b0cefbb 13.de Sp \" Vertical space (when we can't use .PP)
984263bc
MD
14.if t .sp .5v
15.if n .sp
16..
8b0cefbb 17.de Vb \" Begin verbatim text
984263bc
MD
18.ft CW
19.nf
20.ne \\$1
21..
8b0cefbb 22.de Ve \" End verbatim text
984263bc 23.ft R
984263bc
MD
24.fi
25..
8b0cefbb
JR
26.\" Set up some character translations and predefined strings. \*(-- will
27.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
2eaa1526
PA
28.\" double quote, and \*(R" will give a right double quote. \*(C+ will
29.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
30.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
31.\" nothing in troff, for use with C<>.
32.tr \(*W-
8b0cefbb 33.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
984263bc 34.ie n \{\
8b0cefbb
JR
35. ds -- \(*W-
36. ds PI pi
37. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
38. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
39. ds L" ""
40. ds R" ""
41. ds C` ""
42. ds C' ""
984263bc
MD
43'br\}
44.el\{\
8b0cefbb
JR
45. ds -- \|\(em\|
46. ds PI \(*p
47. ds L" ``
48. ds R" ''
984263bc 49'br\}
8b0cefbb
JR
50.\"
51.\" If the F register is turned on, we'll generate index entries on stderr for
52.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
53.\" entries marked with X<> in POD. Of course, you'll have to process the
54.\" output yourself in some meaningful fashion.
55.if \nF \{\
56. de IX
57. tm Index:\\$1\t\\n%\t"\\$2"
984263bc 58..
8b0cefbb
JR
59. nr % 0
60. rr F
984263bc 61.\}
8b0cefbb 62.\"
8b0cefbb
JR
63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
64.\" Fear. Run. Save yourself. No user-serviceable parts.
65. \" fudge factors for nroff and troff
984263bc 66.if n \{\
8b0cefbb
JR
67. ds #H 0
68. ds #V .8m
69. ds #F .3m
70. ds #[ \f1
71. ds #] \fP
984263bc
MD
72.\}
73.if t \{\
8b0cefbb
JR
74. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
75. ds #V .6m
76. ds #F 0
77. ds #[ \&
78. ds #] \&
984263bc 79.\}
8b0cefbb 80. \" simple accents for nroff and troff
984263bc 81.if n \{\
8b0cefbb
JR
82. ds ' \&
83. ds ` \&
84. ds ^ \&
85. ds , \&
86. ds ~ ~
87. ds /
984263bc
MD
88.\}
89.if t \{\
8b0cefbb
JR
90. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
91. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
92. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
93. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
94. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
95. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
984263bc 96.\}
8b0cefbb 97. \" troff and (daisy-wheel) nroff accents
984263bc
MD
98.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
99.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
100.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
101.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
102.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
103.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
104.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
105.ds ae a\h'-(\w'a'u*4/10)'e
106.ds Ae A\h'-(\w'A'u*4/10)'E
8b0cefbb 107. \" corrections for vroff
984263bc
MD
108.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
109.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
8b0cefbb 110. \" for low resolution devices (crt and lpr)
984263bc
MD
111.if \n(.H>23 .if \n(.V>19 \
112\{\
8b0cefbb
JR
113. ds : e
114. ds 8 ss
115. ds o a
116. ds d- d\h'-1'\(ga
117. ds D- D\h'-1'\(hy
118. ds th \o'bp'
119. ds Th \o'LP'
120. ds ae ae
121. ds Ae AE
984263bc
MD
122.\}
123.rm #[ #] #H #V #F C
8b0cefbb
JR
124.\" ========================================================================
125.\"
126.IX Title "S_CLIENT 1"
2eaa1526
PA
127.TH S_CLIENT 1 "2007-10-24" "0.9.8g" "OpenSSL"
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
984263bc 132.SH "NAME"
e3cdf75b 133s_client \- SSL/TLS client program
984263bc 134.SH "SYNOPSIS"
8b0cefbb
JR
135.IX Header "SYNOPSIS"
136\&\fBopenssl\fR \fBs_client\fR
e3cdf75b 137[\fB\-connect host:port\fR]
984263bc
MD
138[\fB\-verify depth\fR]
139[\fB\-cert filename\fR]
a561f9ff 140[\fB\-certform DER|PEM\fR]
984263bc 141[\fB\-key filename\fR]
a561f9ff
SS
142[\fB\-keyform DER|PEM\fR]
143[\fB\-pass arg\fR]
984263bc
MD
144[\fB\-CApath directory\fR]
145[\fB\-CAfile filename\fR]
146[\fB\-reconnect\fR]
147[\fB\-pause\fR]
148[\fB\-showcerts\fR]
149[\fB\-debug\fR]
150[\fB\-msg\fR]
151[\fB\-nbio_test\fR]
152[\fB\-state\fR]
153[\fB\-nbio\fR]
154[\fB\-crlf\fR]
155[\fB\-ign_eof\fR]
156[\fB\-quiet\fR]
157[\fB\-ssl2\fR]
158[\fB\-ssl3\fR]
159[\fB\-tls1\fR]
160[\fB\-no_ssl2\fR]
161[\fB\-no_ssl3\fR]
162[\fB\-no_tls1\fR]
163[\fB\-bugs\fR]
164[\fB\-cipher cipherlist\fR]
e3cdf75b 165[\fB\-starttls protocol\fR]
984263bc 166[\fB\-engine id\fR]
2c0715f4
PA
167[\fB\-tlsextdebug\fR]
168[\fB\-no_ticket\fR]
169[\fB\-sess_out filename\fR]
170[\fB\-sess_in filename\fR]
e3cdf75b 171[\fB\-rand file(s)\fR]
984263bc 172.SH "DESCRIPTION"
8b0cefbb
JR
173.IX Header "DESCRIPTION"
174The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects
175to a remote host using \s-1SSL/TLS\s0. It is a \fIvery\fR useful diagnostic tool for
176\&\s-1SSL\s0 servers.
984263bc 177.SH "OPTIONS"
8b0cefbb
JR
178.IX Header "OPTIONS"
179.IP "\fB\-connect host:port\fR" 4
180.IX Item "-connect host:port"
984263bc
MD
181This specifies the host and optional port to connect to. If not specified
182then an attempt is made to connect to the local host on port 4433.
8b0cefbb
JR
183.IP "\fB\-cert certname\fR" 4
184.IX Item "-cert certname"
984263bc
MD
185The certificate to use, if one is requested by the server. The default is
186not to use a certificate.
a561f9ff
SS
187.IP "\fB\-certform format\fR" 4
188.IX Item "-certform format"
189The certificate format to use: \s-1DER\s0 or \s-1PEM\s0. \s-1PEM\s0 is the default.
8b0cefbb
JR
190.IP "\fB\-key keyfile\fR" 4
191.IX Item "-key keyfile"
984263bc
MD
192The private key to use. If not specified then the certificate file will
193be used.
a561f9ff
SS
194.IP "\fB\-keyform format\fR" 4
195.IX Item "-keyform format"
196The private format to use: \s-1DER\s0 or \s-1PEM\s0. \s-1PEM\s0 is the default.
197.IP "\fB\-pass arg\fR" 4
198.IX Item "-pass arg"
199the private key password source. For more information about the format of \fBarg\fR
200see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
8b0cefbb
JR
201.IP "\fB\-verify depth\fR" 4
202.IX Item "-verify depth"
984263bc
MD
203The verify depth to use. This specifies the maximum length of the
204server certificate chain and turns on server certificate verification.
205Currently the verify operation continues after errors so all the problems
206with a certificate chain can be seen. As a side effect the connection
207will never fail due to a server certificate verify failure.
8b0cefbb
JR
208.IP "\fB\-CApath directory\fR" 4
209.IX Item "-CApath directory"
984263bc
MD
210The directory to use for server certificate verification. This directory
211must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are
212also used when building the client certificate chain.
8b0cefbb
JR
213.IP "\fB\-CAfile file\fR" 4
214.IX Item "-CAfile file"
984263bc
MD
215A file containing trusted certificates to use during server authentication
216and to use when attempting to build the client certificate chain.
8b0cefbb
JR
217.IP "\fB\-reconnect\fR" 4
218.IX Item "-reconnect"
984263bc
MD
219reconnects to the same server 5 times using the same session \s-1ID\s0, this can
220be used as a test that session caching is working.
8b0cefbb
JR
221.IP "\fB\-pause\fR" 4
222.IX Item "-pause"
984263bc 223pauses 1 second between each read and write call.
8b0cefbb
JR
224.IP "\fB\-showcerts\fR" 4
225.IX Item "-showcerts"
984263bc
MD
226display the whole server certificate chain: normally only the server
227certificate itself is displayed.
8b0cefbb
JR
228.IP "\fB\-prexit\fR" 4
229.IX Item "-prexit"
984263bc
MD
230print session information when the program exits. This will always attempt
231to print out information even if the connection fails. Normally information
232will only be printed out once if the connection succeeds. This option is useful
233because the cipher in use may be renegotiated or the connection may fail
234because a client certificate is required or is requested only after an
235attempt is made to access a certain \s-1URL\s0. Note: the output produced by this
236option is not always accurate because a connection might never have been
237established.
8b0cefbb
JR
238.IP "\fB\-state\fR" 4
239.IX Item "-state"
984263bc 240prints out the \s-1SSL\s0 session states.
8b0cefbb
JR
241.IP "\fB\-debug\fR" 4
242.IX Item "-debug"
984263bc 243print extensive debugging information including a hex dump of all traffic.
8b0cefbb
JR
244.IP "\fB\-msg\fR" 4
245.IX Item "-msg"
984263bc 246show all protocol messages with hex dump.
8b0cefbb
JR
247.IP "\fB\-nbio_test\fR" 4
248.IX Item "-nbio_test"
984263bc 249tests non-blocking I/O
8b0cefbb
JR
250.IP "\fB\-nbio\fR" 4
251.IX Item "-nbio"
984263bc 252turns on non-blocking I/O
8b0cefbb
JR
253.IP "\fB\-crlf\fR" 4
254.IX Item "-crlf"
984263bc
MD
255this option translated a line feed from the terminal into \s-1CR+LF\s0 as required
256by some servers.
8b0cefbb
JR
257.IP "\fB\-ign_eof\fR" 4
258.IX Item "-ign_eof"
984263bc
MD
259inhibit shutting down the connection when end of file is reached in the
260input.
8b0cefbb
JR
261.IP "\fB\-quiet\fR" 4
262.IX Item "-quiet"
984263bc
MD
263inhibit printing of session and certificate information. This implicitly
264turns on \fB\-ign_eof\fR as well.
8b0cefbb
JR
265.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4
266.IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1"
984263bc
MD
267these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default
268the initial handshake uses a method which should be compatible with all
269servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate.
270.Sp
271Unfortunately there are a lot of ancient and broken servers in use which
272cannot handle this technique and will fail to connect. Some servers only
273work if \s-1TLS\s0 is turned off with the \fB\-no_tls\fR option others will only
274support \s-1SSL\s0 v2 and may need the \fB\-ssl2\fR option.
8b0cefbb
JR
275.IP "\fB\-bugs\fR" 4
276.IX Item "-bugs"
984263bc
MD
277there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
278option enables various workarounds.
8b0cefbb
JR
279.IP "\fB\-cipher cipherlist\fR" 4
280.IX Item "-cipher cipherlist"
984263bc
MD
281this allows the cipher list sent by the client to be modified. Although
282the server determines which cipher suite is used it should take the first
283supported cipher in the list sent by the client. See the \fBciphers\fR
284command for more information.
8b0cefbb
JR
285.IP "\fB\-starttls protocol\fR" 4
286.IX Item "-starttls protocol"
287send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication.
288\&\fBprotocol\fR is a keyword for the intended protocol. Currently, the only
edae4a78 289supported keywords are \*(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", and \*(L"ftp\*(R".
2c0715f4
PA
290.IP "\fB\-tlsextdebug\fR" 4
291.IX Item "-tlsextdebug"
292print out a hex dump of any \s-1TLS\s0 extensions received from the server. Note: this
293option is only available if extension support is explicitly enabled at compile
294time
295.IP "\fB\-no_ticket\fR" 4
296.IX Item "-no_ticket"
297disable RFC4507bis session ticket support. Note: this option is only available
298if extension support is explicitly enabled at compile time
299.IP "\fB\-sess_out filename\fR" 4
300.IX Item "-sess_out filename"
301output \s-1SSL\s0 session to \fBfilename\fR
302.IP "\fB\-sess_in sess.pem\fR" 4
303.IX Item "-sess_in sess.pem"
304load \s-1SSL\s0 session from \fBfilename\fR. The client will attempt to resume a
305connection from this session.
8b0cefbb
JR
306.IP "\fB\-engine id\fR" 4
307.IX Item "-engine id"
984263bc
MD
308specifying an engine (by it's unique \fBid\fR string) will cause \fBs_client\fR
309to attempt to obtain a functional reference to the specified engine,
310thus initialising it if needed. The engine will then be set as the default
311for all available algorithms.
8b0cefbb
JR
312.IP "\fB\-rand file(s)\fR" 4
313.IX Item "-rand file(s)"
984263bc 314a file or files containing random data used to seed the random number
8b0cefbb
JR
315generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
316Multiple files can be specified separated by a OS-dependent character.
2eaa1526 317The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
984263bc
MD
318all others.
319.SH "CONNECTED COMMANDS"
8b0cefbb
JR
320.IX Header "CONNECTED COMMANDS"
321If a connection is established with an \s-1SSL\s0 server then any data received
984263bc
MD
322from the server is displayed and any key presses will be sent to the
323server. When used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR
324have been given), the session will be renegotiated if the line begins with an
8b0cefbb 325\&\fBR\fR, and if the line begins with a \fBQ\fR or if end of file is reached, the
984263bc
MD
326connection will be closed down.
327.SH "NOTES"
8b0cefbb
JR
328.IX Header "NOTES"
329\&\fBs_client\fR can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL\s0 \s-1HTTP\s0
984263bc
MD
330server the command:
331.PP
332.Vb 1
2eaa1526 333\& openssl s_client \-connect servername:443
984263bc 334.Ve
8b0cefbb 335.PP
984263bc 336would typically be used (https uses port 443). If the connection succeeds
8b0cefbb 337then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET\s0 /\*(R" to retrieve a web page.
984263bc
MD
338.PP
339If the handshake fails then there are several possible causes, if it is
340nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR,
8b0cefbb 341\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR options can be tried
984263bc
MD
342in case it is a buggy server. In particular you should play with these
343options \fBbefore\fR submitting a bug report to an OpenSSL mailing list.
344.PP
345A frequent problem when attempting to get client certificates working
346is that a web client complains it has no certificates or gives an empty
347list to choose from. This is normally because the server is not sending
8b0cefbb
JR
348the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it
349requests a certificate. By using \fBs_client\fR the \s-1CA\s0 list can be viewed
984263bc 350and checked. However some servers only request client authentication
8b0cefbb
JR
351after a specific \s-1URL\s0 is requested. To obtain the list in this case it
352is necessary to use the \fB\-prexit\fR option and send an \s-1HTTP\s0 request
984263bc
MD
353for an appropriate page.
354.PP
355If a certificate is specified on the command line using the \fB\-cert\fR
356option it will not be used unless the server specifically requests
357a client certificate. Therefor merely including a client certificate
358on the command line is no guarantee that the certificate works.
359.PP
360If there are problems verifying a server certificate then the
8b0cefbb 361\&\fB\-showcerts\fR option can be used to show the whole chain.
2c0715f4
PA
362.PP
363Since the SSLv23 client hello cannot include compression methods or extensions
364these will only be supported if its use is disabled, for example by using the
365\&\fB\-no_sslv2\fR option.
366.PP
367\&\s-1TLS\s0 extensions are only supported in OpenSSL 0.9.8 if they are explictly
368enabled at compile time using for example the \fBenable-tlsext\fR switch.
984263bc 369.SH "BUGS"
8b0cefbb 370.IX Header "BUGS"
984263bc
MD
371Because this program has a lot of options and also because some of
372the techniques used are rather old, the C source of s_client is rather
373hard to read and not a model of how things should be done. A typical
8b0cefbb 374\&\s-1SSL\s0 client program would be much simpler.
984263bc
MD
375.PP
376The \fB\-verify\fR option should really exit if the server verification
377fails.
378.PP
379The \fB\-prexit\fR option is a bit of a hack. We should really report
380information whenever a session is renegotiated.
381.SH "SEE ALSO"
e3cdf75b 382.IX Header "SEE ALSO"
8b0cefbb 383\&\fIsess_id\fR\|(1), \fIs_server\fR\|(1), \fIciphers\fR\|(1)